Skip to content

ci: migrate light jobs to smithy self-hosted runners#458

Open
avrabe wants to merge 1 commit intomainfrom
smithy-migration
Open

ci: migrate light jobs to smithy self-hosted runners#458
avrabe wants to merge 1 commit intomainfrom
smithy-migration

Conversation

@avrabe
Copy link
Copy Markdown
Contributor

@avrabe avrabe commented May 3, 2026

Summary

Migrates 5 small, dependency-free CI jobs in rules_wasm_component from GitHub-hosted ubuntu-latest to the smithy self-hosted fleet (light class, 4 GB MemoryHigh). The remaining 17 jobs stay on hosted runners because they depend on Bazel, sudo apt-get, docker run against vendor BCR images, or non-Linux platforms — none of which are currently in the smithy toolchains role.

This follows the pulseengine/spar#201 / rivet / kiln / gale migration playbook documented at https://github.com/pulseengine/smithy/blob/main/docs/migration-playbook.md.

Coverage

Migrated to [self-hosted, linux, x64, light]

Workflow Job Why light is enough
ci.yml release git-cliff + rsync + tar; no compile
integration-examples.yml trigger-integration only invokes peter-evans/repository-dispatch
production-readiness.yml security-validation grep / regex over toolchains/
production-readiness.yml production-readiness echo-only summary
release.yml create_release git-cliff + rsync + tar + GH release upload
weekly-checksum-update.yml notify echo-only

Stays on hosted (with in-place reason comments)

Workflow Job Reason
ci.yml lint Bazel (buildifier)
ci.yml hermiticity-check Bazel
ci.yml test-linux Bazel + service container registry:2
ci.yml test-macos macOS only
ci.yml test-windows Windows only
ci.yml bcr-docker-test docker run vs vendor BCR image
ci.yml integration Bazel + sudo apt-get
bcr-compatibility.yml all 7 jobs Bazel + vendor docker run + multi-OS matrix
docs-deploy.yml bazel-build-and-deploy Bazel
integration-examples.yml direct-integration-test Bazel + sudo mv install
production-readiness.yml smoke-tests Bazel + macOS matrix
production-readiness.yml performance-benchmark Bazel
production-readiness.yml compatibility-matrix Bazel + macOS matrix
weekly-checksum-update.yml checksum-update Bazel + sudo apt-get install

publish.yml and publish-to-bcr.yml only call the bazel-contrib/publish-to-bcr reusable workflow and have no own runs-on: to change.

Workarounds applied

None — the migrated jobs are pure shell / Node and the playbook's standard workarounds (sudo mv, cargo-deny-action, free-disk-space gate, syft -b flag) didn't apply. Every kept-hosted job already uses one of these patterns and the comment names which one.

Test plan

  • PR CI green on release (light) — runs only on push to main, so first real exercise will be the next merge to main; pre-merge dry-run is the workflow YAML lint
  • PR CI green on trigger-integration (light)
  • PR CI green on security-validation (light)
  • PR CI green on production-readiness (light)
  • PR CI green on notify (light, only fires after checksum-update)
  • All hosted jobs unchanged behavior

Rollback

Revert the merge commit; every change is runs-on: only.

Follow-ups (out of scope here, tracked in smithy)

  • Bazel toolchain on smithy would unblock the bulk (~12 jobs) of this repo's CI.
  • BCR vendor docker run jobs need podman-shim validation against gcr.io/bazel-public/ubuntu2204.

@avrabe
ci: migrate 5 of 22 jobs to smithy self-hosted runners
a860679 
  light        ci.yml::release
                integration-examples.yml::trigger-integration
                production-readiness.yml::security-validation
                production-readiness.yml::production-readiness
                release.yml::create_release
                weekly-checksum-update.yml::notify

Stays on ubuntu-latest:
  - ci.yml::lint                                Bazel (buildifier) not on smithy
  - ci.yml::hermiticity-check                   Bazel
  - ci.yml::test-linux                          Bazel + service container (registry:2)
  - ci.yml::test-macos                          macOS only
  - ci.yml::test-windows                        Windows only
  - ci.yml::bcr-docker-test                     docker run against vendor BCR image
  - ci.yml::integration                         Bazel + sudo apt-get
  - bcr-compatibility.yml::bcr-hermetic-test    docker run against vendor BCR image
  - bcr-compatibility.yml::bcr-toolchain-validation   docker run vendor BCR image
  - bcr-compatibility.yml::bcr-multi-platform-test    multi-OS matrix + Bazel
  - bcr-compatibility.yml::bcr-incompatible-flags-test Bazel
  - bcr-compatibility.yml::bcr-metadata-validation    keeping co-located with BCR suite
  - bcr-compatibility.yml::bcr-test-module-validation Bazel
  - bcr-compatibility.yml::bcr-summary               keeping co-located with BCR suite
  - docs-deploy.yml::bazel-build-and-deploy     Bazel
  - integration-examples.yml::direct-integration-test Bazel + sudo mv
  - production-readiness.yml::smoke-tests       Bazel + macOS matrix
  - production-readiness.yml::performance-benchmark Bazel
  - production-readiness.yml::compatibility-matrix  Bazel + macOS matrix
  - weekly-checksum-update.yml::checksum-update Bazel + sudo apt-get install

The repo is a Bazel rules project for WebAssembly components, so the
overwhelming majority of jobs depend on Bazel which is not yet on the
smithy toolchains role. The five migrated jobs are pure shell/Node
tasks (release archive creation, integration test dispatch, checksum
greps, status summaries) that have no Bazel/sudo/apt-get/container
dependencies and run comfortably on the 'light' (4G) class.

publish.yml and publish-to-bcr.yml only call the bazel-contrib reusable
workflow and have no own runs-on, so nothing to migrate there.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avrabe